SA-MP Forums Archive
Anti SQL Injection, how it works on samp - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Anti SQL Injection, how it works on samp (/showthread.php?tid=632611)



Anti SQL Injection, how it works on samp - Lester23 - 16.04.2017

Hi I'm kinda new to this so I'm asking you people how can I protect my server from sql injections ? I do have a gamemode (just playing with it around) and saw some people talking about sql injections, so I began to get worried a bit

I looked over internet and saw a Injection in /changepass :
Код:
 ', playerMoney = '1' WHERE playerName = 'x' #
, I tried to do it on my server and didn't work, yay. My question is how can someone inject in your DB ? (commands, etc) and yet how do I protect it ? I don't want a tutorial tho, just for general knowledge.

Thank you !!


Re: Anti SQL Injection, how it works on samp - Vince - 16.04.2017

With SQLIte use %q for strings in format(), with MySQL use %e for strings in mysql_format. That's sufficient. In other languages (e.g. PHP) use prepared queries.

Interactive demo: https://www.codebashing.com/sql_demo


Re: Anti SQL Injection, how it works on samp - Lester23 - 16.04.2017

Yeah... figured out I have %s vulnerability and it crashes my server :S

mind helping me please? I added this below the last #include

I tried to add this static const antisqlinjection[][] = {
"'",
"#",
"`",
"%"
};


and this to public OnDialogResponse, right below public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])


for(new i; i < sizeof(antisqlinjection); i++)
{
if(strfind(inputtext, antisqlinjection[i], true) != -1)
{
SCM(playerid, COLOR_YELLOW, " There are also allowed characters.");
return 1;
}
}


I can make another thread if needed, but please help :S the compiler just crashes.


Re: Anti SQL Injection, how it works on samp - DRIFT_HUNTER - 16.04.2017

mysql_real_escape_string or mysql_format with %e for user input strings.